03-31-2003 08:15 AM - edited 03-09-2019 02:42 AM
Are there any signatures available for this. From looking at the advisory it would seem searching for anything between \x80-\xff in the to header might suffice.
04-04-2003 12:58 PM
Are you looking for a signature for something in particular or is it the send mail buffer overflow vulnerability that you are referring to? If so, refer to the CERT Advisory http://www.cert.org/advisories/CA-2003-12.html
I guess the signatures for these are available in the IDS systems. I don't have the details though.
04-04-2003 03:14 PM
From the details of the exploit, this problem is addressed by signature 3115 subsigs 0-2. These are looking for a non-printable character [\x80-\xFF] in the To, From, and CC fields of an email message header. We really only need to identify the \xFF character, but we get the coverage in with the range. Signature 3115 was originally written to cover the other Sendmail exploit in CERT CA-2003-07.
09-17-2003 05:53 AM
Does anyone else have huge numbers of false +ve's from these four subsigs? I see tons...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide